Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Logs , Are They Alright Now?


  • This topic is locked This topic is locked
23 replies to this topic

#1 Joshstork

Joshstork

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 29 August 2007 - 12:50 PM

Hi i had malware, hate that thing...
But thankfully i sorted it out thanks to this forum http://www.bleepingcomputer.com/forums/t/105116/privacy-protector-error-cleaner-spyware-malware-protection/
Except for one thing, I am going to post the log from both the SDfix and ComboFix and was wondering if it was ok and what do i do now?

This is the SDfix log;

SDFix: Version 1.100

Run by Neil Storkey on Wed 08/29/2007 at 12:54 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\Neil Storkey\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Neil Storkey\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Neil Storkey\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\system32\web.dat - Deleted


Folder C:\WINDOWS\privacy_danger - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\PopCap Games\\Alchemy Deluxe\\WinAlch.exe"="C:\\Program Files\\PopCap Games\\Alchemy Deluxe\\WinAlch.exe:*:Disabled:WinAlch"
"C:\\Program Files\\ImaginEngine\\Avalanche\\avalanche.exe"="C:\\Program Files\\ImaginEngine\\Avalanche\\avalanche.exe:*:Disabled:avalanche"
"C:\\Program Files\\Yahoo! Games\\FiberTwig\\FiberTwig.exe"="C:\\Program Files\\Yahoo! Games\\FiberTwig\\FiberTwig.exe:*:Disabled:Fiber Twig"
"C:\\Program Files\\Yahoo! Games\\Incredible Ink\\IncredibleInk.exe"="C:\\Program Files\\Yahoo! Games\\Incredible Ink\\IncredibleInk.exe:*:Disabled:Incredible Ink"
"C:\\Documents and Settings\\Neil Storkey\\My Documents\\Games\\utorrent.exe"="C:\\Documents and Settings\\Neil Storkey\\My Documents\\Games\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Freeciv-2.1.0-beta2-win32\\civserver.exe"="C:\\Program Files\\Freeciv-2.1.0-beta2-win32\\civserver.exe:*:Disabled:civserver"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Team17\\Worms 3D\\bin\\Worms3D.exe"="C:\\Team17\\Worms 3D\\bin\\Worms3D.exe:*:Enabled:Worms3D"
"C:\\Program Files\\Risk II\\RiskII.exe"="C:\\Program Files\\Risk II\\RiskII.exe:*:Enabled:Risk II"
"C:\\Program Files\\Disciples II - Galleans Return\\Discipl2.exe"="C:\\Program Files\\Disciples II - Galleans Return\\Discipl2.exe:*:Enabled:Disciples II v2.02"
"C:\\Program Files\\Roller Coaster Tycoon 2\\rct2.exe"="C:\\Program Files\\Roller Coaster Tycoon 2\\rct2.exe:*:Disabled:rct2"
"C:\\Program Files\\Disciples II - Rise of the Elves\\Discipl2.exe"="C:\\Program Files\\Disciples II - Rise of the Elves\\Discipl2.exe:*:Disabled:Disciples II v3.01"
"C:\\My Games\\Pearl Harbor - Zero Hour\\phz.exe"="C:\\My Games\\Pearl Harbor - Zero Hour\\phz.exe:*:Disabled:phz"
"C:\\Program Files\\Disciples II - Dark Prophecy\\Discipl2.exe"="C:\\Program Files\\Disciples II - Dark Prophecy\\Discipl2.exe:*:Disabled:Disciples II v1.41"
"C:\\Program Files\\Firefly Studios\\Stronghold 2-Demo\\Stronghold2Demo.exe"="C:\\Program Files\\Firefly Studios\\Stronghold 2-Demo\\Stronghold2Demo.exe:*:Disabled:Stronghold2Demo"
"C:\\WINDOWS\\Cyb2k.exe"="C:\\WINDOWS\\Cyb2k.exe:*:Enabled:CYBERsitter Control Panel"
"C:\\Program Files\\InterActual\\InterActual Player\\iPlayer.exe"="C:\\Program Files\\InterActual\\InterActual Player\\iPlayer.exe:*:Disabled:InterActual Player"
"C:\\Program Files\\Dark Reign 2\\dr2.exe"="C:\\Program Files\\Dark Reign 2\\dr2.exe:*:Disabled:Dark Reign 2"
"C:\\Program Files\\Defcon\\defcon.exe"="C:\\Program Files\\Defcon\\defcon.exe:*:Disabled:Defcon"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\Valusoft\\Construction Destruction\\ConstructionDestruction.exe"="C:\\Program Files\\Valusoft\\Construction Destruction\\ConstructionDestruction.exe:*:Disabled:ConstructionDestruction"
"C:\\Program Files\\Valusoft\\18 Wheels of Steel - Across America\\prism3d.exe"="C:\\Program Files\\Valusoft\\18 Wheels of Steel - Across America\\prism3d.exe:*:Disabled:prism3d"
"C:\\Program Files\\Strategy First\\O.R.B\\orb.exe"="C:\\Program Files\\Strategy First\\O.R.B\\orb.exe:*:Disabled:Orb"
"C:\\Program Files\\Tribal Trouble\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Tribal Trouble\\jre1.5.0_04\\bin\\javaw.exe:*:Disabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Valusoft\\Midnight Outlaw Illegal Street Drag - Nitro Edition\\OutlawNE.exe"="C:\\Program Files\\Valusoft\\Midnight Outlaw Illegal Street Drag - Nitro Edition\\OutlawNE.exe:*:Disabled:OutlawNE"
"C:\\Program Files\\Valusoft\\Canopy Games\\Hot Rod Garage to Glory\\HR2game.exe"="C:\\Program Files\\Valusoft\\Canopy Games\\Hot Rod Garage to Glory\\HR2game.exe:*:Disabled:HR2game"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BHO\\uninstall.exe"="C:\\Program Files\\BHO\\uninstall.exe:*:Enabled:BHO"
"C:\\Program Files\\Valusoft\\Navy Seals - Sea Air Land\\lithtech.exe"="C:\\Program Files\\Valusoft\\Navy Seals - Sea Air Land\\lithtech.exe:*:Disabled:Client"
"C:\\Program Files\\1701 A.D. Demo\\1701_Demo.exe"="C:\\Program Files\\1701 A.D. Demo\\1701_Demo.exe:*:Enabled:1701 A.D. Demo"
"C:\\Program Files\\Bots\\bots.dat"="C:\\Program Files\\Bots\\bots.dat:*:Disabled:Bout_d"
"C:\\Program Files\\National Guard\\Guard Shield\\PRISM.exe"="C:\\Program Files\\National Guard\\Guard Shield\\PRISM.exe:*:Enabled:Guard Shield"
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"="C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme:*:Disabled:GunBound"
"C:\\ijji\\ENGLISH\\Gunz\\BAReport.exe"="C:\\ijji\\ENGLISH\\Gunz\\BAReport.exe:*:Disabled:BAReport MFC ?? ????"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Disabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\setup\\HPZNET01.EXE"="D:\\setup\\HPZNET01.EXE:*:Enabled:hpznet01.exe"
"D:\\setup\\HPONICIFS01.EXE"="D:\\setup\\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WINDOWS\\system32\\spoolsv.exe:*:Enabled:Spooler SubSystem App"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Electronic Arts\\Battlefield 2142 Server\\BF2142_w32ded.exe"="C:\\Program Files\\Electronic Arts\\Battlefield 2142 Server\\BF2142_w32ded.exe:*:Enabled:BF2142_w32ded"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe"="C:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe:*:Enabled:FEAR Combat"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Program Files\\Steam\\steamapps\\joshstork\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\joshstork\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\Microsoft Works Suite 2006\Setup\MNYINSTA.DLL
C:\Program Files\Microsoft Works Suite 2006\Setup\SETUPLNG.DLL
C:\Program Files\Microsoft Works Suite 2006\Setup\LAUNCHER.EXE
C:\Program Files\Microsoft Works Suite 2006\Setup\RMVSUITE.EXE
C:\Program Files\Microsoft Works Suite 2006\Setup\UNREGWTR.EXE
C:\Documents and Settings\Penga House\Local Settings\Temp\BIT212.tmp
C:\Program Files\InterActual\InterActual Player\itiD8.tmp

Finished





Now this is the ComboFix log;

ComboFix 07-08-29.3 - "Neil Storkey" 2007-08-29 13:28:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.472 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\keys.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0104.dbd
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0106.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0204.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0315.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0412.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0504.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0904.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon1125.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon1204.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon1215.dbd
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon1909.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon1920.dbd
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon2007.dbd
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\vidmon
C:\DOCUME~1\NEILST~1\APPLIC~1\curity~1
C:\DOCUME~1\NEILST~1\APPLIC~1\racle~1
C:\DOCUME~1\NEILST~1\APPLIC~1\smbols~1
C:\DOCUME~1\NEILST~1\MYDOCU~1\smbols~1
C:\DOCUME~1\NEILST~1\MYDOCU~1\ssembl~1
C:\DOCUME~1\PENGAH~1\APPLIC~1\HbTools_Icons
C:\DOCUME~1\PENGAH~1\FAVORI~1\Error Cleaner.url
C:\DOCUME~1\PENGAH~1\FAVORI~1\Privacy Protector.url
C:\DOCUME~1\PENGAH~1\FAVORI~1\Spyware&Malware Protection.url
C:\lswmv.ini
C:\Program Files\BHO
C:\Program Files\BHO\bho.dat
C:\Program Files\BHO\er.dat
C:\Program Files\BHO\plugin1.dll
C:\Program Files\BHO\plugin2.dll
C:\Program Files\BHO\uninstall.exe
C:\Program Files\Common Files\{30D74~1
C:\Program Files\Common Files\{40D74~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\smbols~1
C:\Program Files\Common Files\ssembl~1
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\uninstall information
C:\Program Files\Common Files\uninstall information\RemoveWebDP.exe
C:\Program Files\Common Files\ystem3~1
C:\Program Files\dobe~1
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\007D4EAC.urr
C:\Program Files\Instant Messenger Names
C:\Program Files\Instant Messenger Names\IM-svr.exe
C:\Program Files\mcroso~1
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\History\search
C:\Program Files\myglobalsearch\bar\Settings\settings.dat
C:\Program Files\myglobalsearch\bar\Settings\settings.htm
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\close.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\htmlctrl.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\login.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\unmax.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\wardrobe.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\VideoAccessCodec
C:\Program Files\VideoAccessCodec\install.ico
C:\Program Files\ymante~1
C:\WINDOWS\dat.txt
C:\WINDOWS\ecurit~1
C:\WINDOWS\icroso~1
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\asks~1
C:\WINDOWS\system32\bpkwb.dll
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\nfomon
C:\WINDOWS\system32\nfomon\License.txt
C:\WINDOWS\system32\nfomon\nfo.ocx
C:\WINDOWS\system32\nfomon\nfom.dll
C:\WINDOWS\system32\nfomon\nfomon.exe
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\sstem3~1
C:\WINDOWS\system32\sstem3~1\s?stem32\
C:\WINDOWS\system32\vidmon
C:\WINDOWS\system32\wapisvtr.exe
C:\WINDOWS\system32\wapitr.exe
C:\WINDOWS\system32\wnsxs~1


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-29 )))))))))))))))))))))))))))))))


2007-08-29 13:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-28 20:06 d-------- C:\Program Files\Race To Mars
2007-08-28 16:35 d-------- C:\WINDOWS\ERUNT
2007-08-28 11:21 d-------- C:\Program Files\SpywareBlaster
2007-08-27 21:28 d-------- C:\Program Files\Common Files\NSV
2007-08-27 17:59 237,568 --a------ C:\WINDOWS\wmpdev.dll
2007-08-27 17:59 180,224 --a------ C:\WINDOWS\wmphost.dll
2007-08-27 17:59 180,224 --a------ C:\WINDOWS\mxduo.dll
2007-08-21 20:56 d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Bioshock
2007-08-20 19:39 d-------- C:\Program Files\Ubisoft
2007-08-20 15:33 d-------- C:\Program Files\AusLogics Disk Defrag
2007-08-17 17:59 879,832 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-08-17 17:59 108,360 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-08-17 17:58 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
2007-08-17 17:58 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-08-17 17:58 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-08-17 17:58 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-08-17 17:58 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-08-16 17:59 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-08-16 17:56 d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\WinRAR
2007-08-14 22:34 d-------- C:\Program Files\AviSynth 2.5
2007-08-14 22:27 d-------- C:\Program Files\pspvideo9
2007-08-12 13:48 d-------- C:\Program Files\Sierra
2007-08-11 16:23 d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\DivX
2007-08-10 10:27 d-------- C:\Program Files\gPotato


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-29 13:36 --------- d-------- C:\Program Files\Steam
2007-08-28 15:39 --------- d-------- C:\Program Files\Dark Reign 2
2007-08-28 14:43 --------- d-------- C:\Program Files\Electronic Arts
2007-08-28 14:33 --------- d-------- C:\DOCUME~1\PENGAH~1\APPLIC~1\ATI
2007-08-21 20:56 107888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-20 19:41 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-20 12:38 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-08-20 12:37 103736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-08-16 19:56 --------- d-------- C:\Program Files\LimeWire
2007-08-11 16:22 --------- d-------- C:\Program Files\DivX
2007-08-09 18:33 --------- d-------- C:\Program Files\Apple Software Update
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-25 23:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-25 22:53 9464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-25 22:53 9336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-25 22:53 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-25 22:53 43528 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-25 22:53 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-25 22:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-25 22:53 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-25 22:53 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-25 22:53 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-25 22:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-25 22:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-25 22:50 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-25 22:50 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-25 22:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-25 22:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-25 22:50 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-25 22:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-25 22:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-25 22:49 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-24 14:54 --------- d-------- C:\Program Files\Live_TV
2007-07-23 19:44 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Talkback
2007-07-23 19:36 4048 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-07-23 13:33 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\RegSweep
2007-07-21 17:32 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\ATI
2007-07-21 17:29 --------- d-------- C:\Program Files\ATI Technologies
2007-07-15 16:19 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ATI
2007-07-15 16:07 --------- d-------- C:\Program Files\SystemRequirementsLab
2007-07-15 09:42 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Apple Computer
2007-07-14 15:58 --------- d-------- C:\Program Files\iTunes
2007-07-14 15:58 --------- d-------- C:\Program Files\iPod
2007-07-14 15:54 --------- d-------- C:\Program Files\QuickTime
2007-07-14 15:51 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-14 15:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-14 13:29 --------- d-------- C:\Program Files\Rockstar Games
2007-07-12 17:48 --------- d-------- C:\Program Files\StarSonata
2007-07-12 12:02 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\AdobeUM
2007-07-11 14:44 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-11 14:44 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Activision
2007-07-11 13:14 --------- d-------- C:\Program Files\Activision
2007-07-10 09:25 --------- d-------- C:\Program Files\Google
2007-07-09 11:23 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-01 14:18 --------- d-------- C:\Program Files\Sony Setup
2007-07-01 10:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AGN
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-23 09:10 63040 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 15:25 339968 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 15:24 268288 --------- C:\WINDOWS\system32\ati2dvag.dll
2007-06-13 15:23 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-13 15:17 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-06-13 15:17 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 15:17 139264 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-06-13 15:17 118784 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-06-13 15:16 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-06-13 15:15 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-06-13 15:14 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 15:10 8097792 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-06-13 15:07 2922208 --------- C:\WINDOWS\system32\ati3duag.dll
2007-06-13 14:57 1512960 --------- C:\WINDOWS\system32\ativvaxx.dll
2007-06-13 14:46 5431296 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-06-13 14:43 262144 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-06-13 14:42 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-06-13 14:41 50176 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-06-13 14:36 368640 --------- C:\WINDOWS\system32\ati2cqag.dll
2007-06-13 14:29 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-09-11 16:57 774144 --a------ C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1696FE62-61A0-4E25-A74A-66E33DE8F89F}]
2007-03-19 14:30 60928 --a------ C:\WINDOWS\system32\aduwqjuo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D1B2879-99FF-11E3-8D96-D7ACAC95952A}]
2006-02-02 19:01 40960 --a------ C:\WINDOWS\system32\Haxorwb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{208D7BCC-9857-4C9E-823B-D04E72490A67}]
2007-08-27 05:29 180224 --a------ C:\WINDOWS\mxduo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 12:18]
"kgsystray"="C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe" []
"C2K"="C:\WINDOWS\Cyb2k.exe" []
"Nfo"="C:\WINDOWS\system32\nfomon\nfomon.exe" []
"BearFlix"="C:\Program Files\BearFlix\BearFlix.exe" []
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 17:04]
"CAVRID"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2007-05-09 07:17]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 17:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"cctray"="C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe" [2007-08-28 10:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"Roai"="C:\WINDOWS\system32\SSTEM3~1\tracert.exe" []
"Idzfongz"="C:\WINDOWS\system32\?ppPatch\l?gonui.exe" []
"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" [2007-07-19 08:02]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-07-16 17:54]
"Steam"="c:\program files\steam\steam.exe" [2007-07-15 19:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\WINDOWS\system32\mstask.exe

C:\DOCUME~1\NEILST~1\STARTM~1\Programs\Startup\
Eyetide Launcher.lnk - C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe [2006-09-09 11:56:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wmphost"= {624655AE-B788-4FE7-ACD0-42E5672D4903} - C:\WINDOWS\wmphost.dll [2007-08-27 05:29 180224]
"wmpdev"= {A35E8934-BB78-4D02-A49B-AA02FB2B6117} - C:\WINDOWS\wmpdev.dll [2007-08-27 05:29 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Neil Storkey^Start Menu^Programs^Startup^Eyetide Launcher.lnk]
path=C:\Documents and Settings\Neil Storkey\Start Menu\Programs\Startup\Eyetide Launcher.lnk
backup=C:\WINDOWS\pss\Eyetide Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bdaiumzx]
C:\WINDOWS\system32\rhbzkqvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C2K]
C:\WINDOWS\Cyb2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HbTools]
C:\Program Files\HbTools\Bin\4.8.2.0\HbtOEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMprocess]
C:\Program Files\Instant Messenger Names\IM-svr.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
"C:\Program Files\Microsoft Location Finder\LocationFinder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
C:\Program Files\HbTools\Bin\4.8.2.0\HbtWeatherOnTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
"c:\program files\zango\zango.exe"

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe"
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\wg11tnd5.sys
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\DNINDIS5.SYS
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\drivers\HCWBT8XX.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 VX3000;VX-3000;C:\WINDOWS\system32\DRIVERS\VX3000.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys


Contents of the 'Scheduled Tasks' folder
2007-08-22 21:38:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-08-10 00:00:00 C:\WINDOWS\Tasks\At1.job - C:\Documents
2007-07-09 18:00:00 C:\WINDOWS\Tasks\At2.job - C:\Documents
2007-07-09 15:21:36 C:\WINDOWS\Tasks\At3.job - C:\Documents
2007-07-23 17:28:49 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-29 13:36:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-29 13:43:01 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-29 13:43

--- E O F ---


Thanks i would prefer 1 of the HJT team helping me with this not some noob that i have no clue what he is talking about.

BC AdBot (Login to Remove)

 


#2 Joshstork

Joshstork
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 03 September 2007 - 09:26 AM

Please can someone help me becuase im starting to get the malware back becuase i dont think they worked.


:thumbsup: PLEASE HELP!!!! :flowers:

#3 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 03 September 2007 - 10:01 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Joshstork :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\wmpdev.dll
C:\WINDOWS\wmphost.dll
C:\WINDOWS\mxduo.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1696FE62-61A0-4E25-A74A-66E33DE8F89F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D1B2879-99FF-11E3-8D96-D7ACAC95952A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{208D7BCC-9857-4C9E-823B-D04E72490A67}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nfo"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wmphost"=-
"wmpdev"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bdaiumzx]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option 1 – Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT*
Do NOT run any other options until you are asked to do so!

Also post a new Hijackthis log please.

Edited by RichieUK, 03 September 2007 - 10:02 AM.

Posted Image
Posted Image

#4 Joshstork

Joshstork
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 04 September 2007 - 04:40 PM

Ok i have done what you have asked

This is the logs from ComboFix;
ComboFix 07-08-29.3 - "Neil Storkey" 2007-09-04 17:07:02.14 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.557 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Neil Storkey\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\wmpdev.dll
C:\WINDOWS\wmphost.dll
C:\WINDOWS\mxduo.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\wmpdev.dll


((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))


2007-09-04 15:35 266,240 --a------ C:\WINDOWS\msmdev.dll
2007-09-04 15:35 253,952 --a------ C:\WINDOWS\msmhost.dll
2007-09-04 15:35 208,896 --a------ C:\WINDOWS\nsduo.dll
2007-09-03 19:10 <DIR> d-------- C:\Program Files\Common Files\Thraex Software
2007-09-03 19:10 <DIR> d-------- C:\PacSteam
2007-09-03 15:27 <DIR> d-------- C:\Steam
2007-09-03 15:12 <DIR> d-------- C:\Program Files\uTorrent
2007-09-03 15:12 <DIR> d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\uTorrent
2007-08-29 13:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-28 20:06 <DIR> d-------- C:\Program Files\Race To Mars
2007-08-28 16:35 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-28 11:21 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-27 21:28 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-08-21 20:56 <DIR> d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Bioshock
2007-08-20 19:39 <DIR> d-------- C:\Program Files\Ubisoft
2007-08-20 15:33 <DIR> d-------- C:\Program Files\AusLogics Disk Defrag
2007-08-17 17:59 879,832 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-08-17 17:59 108,360 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-08-17 17:58 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
2007-08-17 17:58 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-08-17 17:58 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-08-17 17:58 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-08-17 17:58 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-08-16 17:59 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-08-16 17:56 <DIR> d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\WinRAR
2007-08-14 22:34 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-08-14 22:27 <DIR> d-------- C:\Program Files\pspvideo9
2007-08-12 13:48 <DIR> d-------- C:\Program Files\Sierra
2007-08-11 16:23 <DIR> d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\DivX
2007-08-10 10:27 <DIR> d-------- C:\Program Files\gPotato


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-04 17:30 --------- d-------- C:\Program Files\Steam
2007-09-02 17:23 --------- d-------- C:\Program Files\Trillian
2007-08-31 18:46 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-08-28 15:39 --------- d-------- C:\Program Files\Dark Reign 2
2007-08-28 14:43 --------- d-------- C:\Program Files\Electronic Arts
2007-08-28 14:33 --------- d-------- C:\DOCUME~1\PENGAH~1\APPLIC~1\ATI
2007-08-21 20:56 107888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-20 19:41 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-20 12:38 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-08-16 19:56 --------- d-------- C:\Program Files\LimeWire
2007-08-11 16:22 --------- d-------- C:\Program Files\DivX
2007-08-09 18:33 --------- d-------- C:\Program Files\Apple Software Update
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-25 23:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-25 22:53 9464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-25 22:53 9336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-25 22:53 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-25 22:53 43528 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-25 22:53 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-25 22:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-25 22:53 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-25 22:53 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-25 22:53 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-25 22:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-25 22:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-25 22:50 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-25 22:50 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-25 22:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-25 22:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-25 22:50 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-25 22:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-25 22:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-25 22:49 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-24 14:54 --------- d-------- C:\Program Files\Live_TV
2007-07-23 19:44 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Talkback
2007-07-23 19:36 4048 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-07-23 13:33 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\RegSweep
2007-07-21 17:32 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\ATI
2007-07-21 17:29 --------- d-------- C:\Program Files\ATI Technologies
2007-07-15 16:19 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ATI
2007-07-15 16:07 --------- d-------- C:\Program Files\SystemRequirementsLab
2007-07-15 09:42 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Apple Computer
2007-07-14 15:58 --------- d-------- C:\Program Files\iTunes
2007-07-14 15:58 --------- d-------- C:\Program Files\iPod
2007-07-14 15:54 --------- d-------- C:\Program Files\QuickTime
2007-07-14 15:51 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-14 15:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-14 13:29 --------- d-------- C:\Program Files\Rockstar Games
2007-07-12 17:48 --------- d-------- C:\Program Files\StarSonata
2007-07-12 12:02 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\AdobeUM
2007-07-11 14:44 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-11 14:44 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Activision
2007-07-11 13:14 --------- d-------- C:\Program Files\Activision
2007-07-10 09:25 --------- d-------- C:\Program Files\Google
2007-07-09 11:23 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-23 09:10 63040 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 15:25 339968 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 15:24 268288 --------- C:\WINDOWS\system32\ati2dvag.dll
2007-06-13 15:23 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-13 15:17 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-06-13 15:17 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 15:17 139264 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-06-13 15:17 118784 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-06-13 15:16 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-06-13 15:15 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-06-13 15:14 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 15:10 8097792 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-06-13 15:07 2922208 --------- C:\WINDOWS\system32\ati3duag.dll
2007-06-13 14:57 1512960 --------- C:\WINDOWS\system32\ativvaxx.dll
2007-06-13 14:46 5431296 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-06-13 14:43 262144 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-06-13 14:42 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-06-13 14:41 50176 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-06-13 14:36 368640 --------- C:\WINDOWS\system32\ati2cqag.dll
2007-06-13 14:29 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-09-11 16:57 774144 --a------ C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((( snapshot_2007-08-29_134147.60 )))))))))))))))))))))))))))))))))))))))))

----a-w 14,048 2007-03-06 01:22:36 C:\WINDOWS\$hf_mig$\KB933360\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\$hf_mig$\KB933360\spuninst.exe
----a-w 60,416 2007-07-18 10:33:06 C:\WINDOWS\$hf_mig$\KB933360\SP2QFE\tzchange.exe
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\$hf_mig$\KB933360\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\$hf_mig$\KB933360\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\$hf_mig$\KB933360\update\updspapi.dll
-c----w 60,416 2007-01-29 08:58:06 C:\WINDOWS\$NtUninstallKB933360$\tzchange.exe
-c----w 213,216 2007-03-06 01:22:41 C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe
-c----w 371,424 2007-03-06 01:23:51 C:\WINDOWS\$NtUninstallKB933360$\spuninst\updspapi.dll
----a-w 6,664,192 2007-08-30 19:35:49 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 204,800 2007-08-30 19:35:50 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
------w 60,416 2007-07-18 12:42:22 C:\WINDOWS\system32\tzchange.exe
----a-w 174,590 2006-09-04 17:05:41 C:\WINDOWS\system32\web.dat

----a-w 6,647,808 2007-08-29 16:53:33 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 204,800 2007-08-29 16:53:34 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
------w 60,416 2007-01-29 08:58:06 C:\WINDOWS\system32\tzchange.exe
----a-w 4,476 2006-08-29 13:18:47 C:\WINDOWS\system32\web.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}]
2007-09-04 06:00 208896 --a------ C:\WINDOWS\nsduo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 12:18]
"kgsystray"="C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe" []
"C2K"="C:\WINDOWS\Cyb2k.exe" []
"BearFlix"="C:\Program Files\BearFlix\BearFlix.exe" []
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 17:04]
"CAVRID"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2007-05-09 07:17]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 17:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"cctray"="C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe" [2007-08-28 10:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"Roai"="C:\WINDOWS\system32\SSTEM3~1\tracert.exe" []
"Idzfongz"="C:\WINDOWS\system32\?ppPatch\l?gonui.exe" []
"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" [2007-07-19 08:02]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-07-16 17:54]
"Steam"="c:\program files\steam\steam.exe" [2007-07-15 19:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\WINDOWS\system32\mstask.exe

C:\DOCUME~1\NEILST~1\STARTM~1\Programs\Startup\
Eyetide Launcher.lnk - C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe [2006-09-09 11:56:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"msmhost"= {84255EBD-3C8E-42A6-A42D-85973FB1FD6D} - C:\WINDOWS\msmhost.dll [2007-09-04 06:00 253952]
"msmdev"= {3109DB65-F5C5-4BE3-98FC-8DCB83640F97} - C:\WINDOWS\msmdev.dll [2007-09-04 06:00 266240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Neil Storkey^Start Menu^Programs^Startup^Eyetide Launcher.lnk]
path=C:\Documents and Settings\Neil Storkey\Start Menu\Programs\Startup\Eyetide Launcher.lnk
backup=C:\WINDOWS\pss\Eyetide Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C2K]
C:\WINDOWS\Cyb2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HbTools]
C:\Program Files\HbTools\Bin\4.8.2.0\HbtOEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMprocess]
C:\Program Files\Instant Messenger Names\IM-svr.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
"C:\Program Files\Microsoft Location Finder\LocationFinder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
C:\Program Files\HbTools\Bin\4.8.2.0\HbtWeatherOnTray.exe

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe"
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\wg11tnd5.sys
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\DNINDIS5.SYS
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\drivers\HCWBT8XX.sys
R3 VX3000;VX-3000;C:\WINDOWS\system32\DRIVERS\VX3000.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys


Contents of the 'Scheduled Tasks' folder
2007-08-29 21:38:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-08-10 00:00:00 C:\WINDOWS\Tasks\At1.job - C:\Documents
2007-07-09 18:00:00 C:\WINDOWS\Tasks\At2.job - C:\Documents
2007-07-09 15:21:36 C:\WINDOWS\Tasks\At3.job - C:\Documents
2007-07-23 17:28:49 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 17:29:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-04 17:34:47 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-04 17:34
C:\ComboFix2.txt ... 2007-09-04 15:45
C:\ComboFix3.txt ... 2007-09-03 20:09

--- E O F ---


And these are the logs from the other search for infected files program you asked me to run;

SmitFraudFix v2.219

Scan done at 17:36:49.76, Tue 09/04/2007
Run from C:\Documents and Settings\Neil Storkey\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Electronic Arts\EA Link\Core.exe
C:\Program Files\Ares\Ares.exe
C:\program files\steam\steam.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Neil Storkey


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Neil Storkey\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\NEILST~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC #2 - Packet Scheduler Miniport
DNS Server Search Order: 85.255.114.60
DNS Server Search Order: 85.255.112.226

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: NETGEAR WG111T 108Mbps Wireless USB2.0 Adapter - Packet Scheduler Miniport
DNS Server Search Order: 85.255.114.60
DNS Server Search Order: 85.255.112.226

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1302F2E7-A8C5-4D6B-ABAA-B18C5861B6AE}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AF8349D7-E130-426A-9058-E1408B6C25A1}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFAC90F1-1F8D-432A-977B-C9EA71D1DE1E}: DhcpNameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1302F2E7-A8C5-4D6B-ABAA-B18C5861B6AE}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AF8349D7-E130-426A-9058-E1408B6C25A1}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EFAC90F1-1F8D-432A-977B-C9EA71D1DE1E}: DhcpNameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1302F2E7-A8C5-4D6B-ABAA-B18C5861B6AE}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AF8349D7-E130-426A-9058-E1408B6C25A1}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EFAC90F1-1F8D-432A-977B-C9EA71D1DE1E}: DhcpNameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.114.60 85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.114.60 85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.114.60 85.255.112.226


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 04 September 2007 - 05:04 PM

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt
Post the Smitfraudfix report into your next reply.

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.
* Also post a new Hijackthis log please.

Posted Image
Posted Image

#6 Joshstork

Joshstork
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 05 September 2007 - 03:19 PM

Hello again,
this is the Smitfraudfix log;

SmitFraudFix v2.219

Scan done at 15:35:22.06, Wed 09/05/2007
Run from C:\Documents and Settings\Neil Storkey\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\privacy_danger\ Deleted
C:\WINDOWS\Tasks\At?.job Deleted
C:\DOCUME~1\NEILST~1\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\NEILST~1\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\NEILST~1\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\NEILST~1\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\NEILST~1\FAVORI~1\Privacy Protector.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1302F2E7-A8C5-4D6B-ABAA-B18C5861B6AE}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AF8349D7-E130-426A-9058-E1408B6C25A1}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFAC90F1-1F8D-432A-977B-C9EA71D1DE1E}: DhcpNameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1302F2E7-A8C5-4D6B-ABAA-B18C5861B6AE}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AF8349D7-E130-426A-9058-E1408B6C25A1}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EFAC90F1-1F8D-432A-977B-C9EA71D1DE1E}: DhcpNameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1302F2E7-A8C5-4D6B-ABAA-B18C5861B6AE}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9D4602F5-F1ED-40FA-881D-E11817F40576}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AF8349D7-E130-426A-9058-E1408B6C25A1}: NameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{EFAC90F1-1F8D-432A-977B-C9EA71D1DE1E}: DhcpNameServer=85.255.114.60,85.255.112.226
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.114.60 85.255.112.226
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.114.60 85.255.112.226
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.114.60 85.255.112.226


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



----------------------------------------------------------------------------------------------------------------------------------------------
Thats the end of that log

This log is the fixwareout log;

Username "Neil Storkey" - 09/05/2007 15:45:24 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.114.60 85.255.112.226" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1302F2E7-A8C5-4D6B-ABAA-B18C5861B6AE}
"nameserver"="85.255.114.60,85.255.112.226" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9D4602F5-F1ED-40FA-881D-E11817F40576}
"nameserver"="85.255.114.60,85.255.112.226" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{AF8349D7-E130-426A-9058-E1408B6C25A1}
"nameserver"="85.255.114.60,85.255.112.226" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{EFAC90F1-1F8D-432A-977B-C9EA71D1DE1E}
"DhcpNameServer"="85.255.114.60,85.255.112.226" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"kgsystray"="C:\\Program Files\\Kuma Games\\kgsystray\\Kuma_tray.exe"
"C2K"="C:\\WINDOWS\\Cyb2k.exe"
"BearFlix"="\"C:\\Program Files\\BearFlix\\BearFlix.exe\" /pause"
"VX3000"="C:\\WINDOWS\\vVX3000.exe"
"CAVRID"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVRID.exe\""
"LifeCam"="\"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"cctray"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\cctray\\cctray.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"Roai"="\"C:\\WINDOWS\\system32\\SSTEM3~1\\tracert.exe\" -vt yazb"
"Idzfongz"="\"C:\\WINDOWS\\system32\\?ppPatch\\l?gonui.exe\" 99001122"
"EA Core"="\"C:\\Program Files\\Electronic Arts\\EA Link\\Core.exe\" -silent"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

----------------------------------------------------------------------------------------------------------------------------------------------

Now this is the SDFix log ;


SDFix: Version 1.100

Run by Neil Storkey on Wed 09/05/2007 at 04:00 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\system32\web.dat - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:HP Network Device Rediscovery Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\Microsoft Works Suite 2006\Setup\MNYINSTA.DLL
C:\Program Files\Microsoft Works Suite 2006\Setup\SETUPLNG.DLL
C:\Program Files\Microsoft Works Suite 2006\Setup\LAUNCHER.EXE
C:\Program Files\Microsoft Works Suite 2006\Setup\RMVSUITE.EXE
C:\Program Files\Microsoft Works Suite 2006\Setup\UNREGWTR.EXE
C:\Program Files\InterActual\InterActual Player\itiD8.tmp

Finished

Ok thats it

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 05 September 2007 - 04:17 PM

Could you post the new Hijackthis log as requested please.
Posted Image
Posted Image

#8 Joshstork

Joshstork
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 05 September 2007 - 07:24 PM

What do you mean?

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 06 September 2007 - 05:57 AM

Post a new Hijackthis log please.
Posted Image
Posted Image

#10 Joshstork

Joshstork
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 08 September 2007 - 03:54 PM

Ok sorry about that i didnt get what you were talking about,

Here is the hijackthis log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:09 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\program files\steam\steam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wwe.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [kgsystray] C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Roai] "C:\WINDOWS\system32\SSTEM3~1\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [Idzfongz] "C:\WINDOWS\system32\?ppPatch\l?gonui.exe" 99001122
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Neil Storkey\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161381435595
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.otoy.com/download/CAB/OTOYAX.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C26027F5-C7EF-4CC1-9637-B514BCF8BF4E} (SAIOnlineAForm Control) - http://www.arcadetown.com/swf/scorchanisland/saionline.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O21 - SSODL: msmhost - {84255EBD-3C8E-42A6-A42D-85973FB1FD6D} - C:\WINDOWS\msmhost.dll
O21 - SSODL: msmdev - {3109DB65-F5C5-4BE3-98FC-8DCB83640F97} - C:\WINDOWS\msmdev.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 12675 bytes

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 09 September 2007 - 05:06 AM

Double click on Combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Posted Image
Posted Image

#12 Joshstork

Joshstork
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 09 September 2007 - 05:48 PM

ComboFix 07-08-29.3 - "Neil Storkey" 2007-09-09 15:53:14.24 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.333 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\NEILST~1\FAVORI~1\Error Cleaner.url
C:\DOCUME~1\NEILST~1\FAVORI~1\Privacy Protector.url
C:\DOCUME~1\NEILST~1\FAVORI~1\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\rs.txt


((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 )))))))))))))))))))))))))))))))


2007-09-08 16:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-05 18:16 <DIR> d-------- C:\Program Files\iTunes
2007-09-05 18:16 <DIR> d-------- C:\Program Files\iPod
2007-09-04 17:37 2,812 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-04 17:36 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-04 17:36 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-04 17:36 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-04 15:35 266,240 --a------ C:\WINDOWS\msmdev.dll
2007-09-04 15:35 253,952 --a------ C:\WINDOWS\msmhost.dll
2007-09-04 15:35 208,896 --a------ C:\WINDOWS\nsduo.dll
2007-09-03 19:10 <DIR> d-------- C:\Program Files\Common Files\Thraex Software
2007-09-03 19:10 <DIR> d-------- C:\PacSteam
2007-09-03 15:27 <DIR> d-------- C:\Steam
2007-09-03 15:12 <DIR> d-------- C:\Program Files\uTorrent
2007-09-03 15:12 <DIR> d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\uTorrent
2007-08-29 13:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-28 20:06 <DIR> d-------- C:\Program Files\Race To Mars
2007-08-28 16:35 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-28 11:21 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-27 21:28 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-08-21 20:56 <DIR> d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Bioshock
2007-08-20 19:39 <DIR> d-------- C:\Program Files\Ubisoft
2007-08-20 15:33 <DIR> d-------- C:\Program Files\AusLogics Disk Defrag
2007-08-17 17:59 879,832 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-08-17 17:59 108,360 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-08-17 17:58 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
2007-08-17 17:58 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-08-17 17:58 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-08-17 17:58 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-08-17 17:58 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-08-16 17:59 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-08-16 17:56 <DIR> d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\WinRAR
2007-08-14 22:34 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-08-14 22:27 <DIR> d-------- C:\Program Files\pspvideo9
2007-08-12 13:48 <DIR> d-------- C:\Program Files\Sierra
2007-08-11 16:23 <DIR> d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\DivX
2007-08-10 10:27 <DIR> d-------- C:\Program Files\gPotato


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-09 10:33 --------- d-------- C:\Program Files\Steam
2007-09-02 17:23 --------- d-------- C:\Program Files\Trillian
2007-08-31 18:46 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-08-28 15:39 --------- d-------- C:\Program Files\Dark Reign 2
2007-08-28 14:43 --------- d-------- C:\Program Files\Electronic Arts
2007-08-28 14:33 --------- d-------- C:\DOCUME~1\PENGAH~1\APPLIC~1\ATI
2007-08-21 20:56 107888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-20 19:41 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-20 12:38 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-08-16 19:56 --------- d-------- C:\Program Files\LimeWire
2007-08-11 16:22 --------- d-------- C:\Program Files\DivX
2007-08-09 18:33 --------- d-------- C:\Program Files\Apple Software Update
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-25 23:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-25 22:53 9464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-25 22:53 9336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-25 22:53 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-25 22:53 43528 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-25 22:53 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-25 22:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-25 22:53 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-25 22:53 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-25 22:53 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-25 22:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-25 22:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-25 22:50 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-25 22:50 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-25 22:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-25 22:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-25 22:50 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-25 22:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-25 22:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-25 22:49 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-24 14:54 --------- d-------- C:\Program Files\Live_TV
2007-07-23 19:44 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Talkback
2007-07-23 19:36 4048 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-07-23 13:33 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\RegSweep
2007-07-21 17:32 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\ATI
2007-07-21 17:29 --------- d-------- C:\Program Files\ATI Technologies
2007-07-15 16:19 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ATI
2007-07-15 16:07 --------- d-------- C:\Program Files\SystemRequirementsLab
2007-07-15 09:42 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Apple Computer
2007-07-14 15:54 --------- d-------- C:\Program Files\QuickTime
2007-07-14 15:51 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-14 15:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-14 13:29 --------- d-------- C:\Program Files\Rockstar Games
2007-07-12 17:48 --------- d-------- C:\Program Files\StarSonata
2007-07-12 12:02 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\AdobeUM
2007-07-11 14:44 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-11 14:44 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Activision
2007-07-11 13:14 --------- d-------- C:\Program Files\Activision
2007-07-10 09:25 --------- d-------- C:\Program Files\Google
2007-07-09 11:23 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-23 09:10 63040 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 15:25 339968 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 15:24 268288 --------- C:\WINDOWS\system32\ati2dvag.dll
2007-06-13 15:23 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-13 15:17 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-06-13 15:17 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 15:17 139264 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-06-13 15:17 118784 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-06-13 15:16 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-06-13 15:15 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-06-13 15:14 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 15:10 8097792 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-06-13 15:07 2922208 --------- C:\WINDOWS\system32\ati3duag.dll
2007-06-13 14:57 1512960 --------- C:\WINDOWS\system32\ativvaxx.dll
2007-06-13 14:46 5431296 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-06-13 14:43 262144 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-06-13 14:42 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-06-13 14:41 50176 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-06-13 14:36 368640 --------- C:\WINDOWS\system32\ati2cqag.dll
2007-06-13 14:29 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-09-11 16:57 774144 --a------ C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((( snapshot_2007-08-29_134147.60 )))))))))))))))))))))))))))))))))))))))))

----a-w 14,048 2007-03-06 01:22:36 C:\WINDOWS\$hf_mig$\KB933360\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\$hf_mig$\KB933360\spuninst.exe
----a-w 60,416 2007-07-18 10:33:06 C:\WINDOWS\$hf_mig$\KB933360\SP2QFE\tzchange.exe
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\$hf_mig$\KB933360\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\$hf_mig$\KB933360\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\$hf_mig$\KB933360\update\updspapi.dll
-c----w 60,416 2007-01-29 08:58:06 C:\WINDOWS\$NtUninstallKB933360$\tzchange.exe
-c----w 213,216 2007-03-06 01:22:41 C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe
-c----w 371,424 2007-03-06 01:23:51 C:\WINDOWS\$NtUninstallKB933360$\spuninst\updspapi.dll
----a-w 6,799,360 2007-09-05 19:58:39 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 204,800 2007-09-05 19:58:40 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-r 102,400 2007-09-05 22:16:42 C:\WINDOWS\Installer\{974C05A0-C76C-4724-A9A2-11D5D1355729}\iTunesIco.exe
------w 60,416 2007-07-18 12:42:22 C:\WINDOWS\system32\tzchange.exe
----a-w 182,248 2007-08-07 21:20:44 C:\WINDOWS\system32\Macromed\Director\SwDir.dll
----a-w 585,728 2007-08-07 17:35:56 C:\WINDOWS\system32\Macromed\Shockwave 10\Control.dll
----a-w 1,490,944 2007-08-07 17:19:40 C:\WINDOWS\system32\Macromed\Shockwave 10\dirapi.dll
----a-w 24,576 2007-08-07 17:36:32 C:\WINDOWS\system32\Macromed\Shockwave 10\DynaPlayer.dll
----a-w 1,113,600 2007-08-07 20:52:32 C:\WINDOWS\system32\Macromed\Shockwave 10\gi.dll
----a-w 52,288 2007-08-07 17:08:48 C:\WINDOWS\system32\Macromed\Shockwave 10\gtapi.dll
----a-w 606,208 2007-08-07 17:17:24 C:\WINDOWS\system32\Macromed\Shockwave 10\iml32.dll
----a-w 339,968 2007-08-07 17:35:22 C:\WINDOWS\system32\Macromed\Shockwave 10\Plugin.dll
----a-w 483,328 2007-08-07 17:35:32 C:\WINDOWS\system32\Macromed\Shockwave 10\PluginPing.dll
----a-w 180,224 2007-08-07 17:28:38 C:\WINDOWS\system32\Macromed\Shockwave 10\Proj.dll
----a-w 391,144 2007-08-07 21:20:28 C:\WINDOWS\system32\Macromed\Shockwave 10\SwHelper_1020023.exe
----a-w 77,824 2007-08-07 17:37:56 C:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
----a-w 86,016 2007-08-07 17:35:18 C:\WINDOWS\system32\Macromed\Shockwave 10\SwMenu.dll
----a-w 98,304 2007-08-07 17:37:58 C:\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll
----a-w 50,808 2007-08-07 17:08:46 C:\WINDOWS\system32\Macromed\Shockwave 10\SYMCCHECKER.DLL

----a-w 6,647,808 2007-08-29 16:53:33 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 204,800 2007-08-29 16:53:34 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
------w 60,416 2007-01-29 08:58:06 C:\WINDOWS\system32\tzchange.exe
----a-w 182,512 2007-05-02 16:32:04 C:\WINDOWS\system32\Macromed\Director\SwDir.dll
----a-w 585,728 2007-04-30 21:11:28 C:\WINDOWS\system32\Macromed\Shockwave 10\Control.dll
----a-w 1,490,944 2007-04-30 20:08:40 C:\WINDOWS\system32\Macromed\Shockwave 10\dirapi.dll
----a-w 24,576 2007-04-30 20:30:38 C:\WINDOWS\system32\Macromed\Shockwave 10\DynaPlayer.dll
----a-w 1,089,024 2007-04-30 20:47:02 C:\WINDOWS\system32\Macromed\Shockwave 10\gi.dll
----a-w 52,288 2007-04-30 19:47:42 C:\WINDOWS\system32\Macromed\Shockwave 10\gtapi.dll
----a-w 606,208 2007-04-30 20:05:32 C:\WINDOWS\system32\Macromed\Shockwave 10\iml32.dll
----a-w 339,968 2007-04-30 21:11:22 C:\WINDOWS\system32\Macromed\Shockwave 10\Plugin.dll
----a-w 483,328 2007-04-30 21:11:24 C:\WINDOWS\system32\Macromed\Shockwave 10\PluginPing.dll
----a-w 180,224 2007-04-30 21:11:30 C:\WINDOWS\system32\Macromed\Shockwave 10\Proj.dll
----a-w 77,824 2007-04-30 20:33:00 C:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
----a-w 86,016 2007-04-30 20:29:00 C:\WINDOWS\system32\Macromed\Shockwave 10\SwMenu.dll
----a-w 98,304 2007-04-30 20:33:00 C:\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}]
2007-09-04 06:00 208896 --a------ C:\WINDOWS\nsduo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 12:18]
"kgsystray"="C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe" []
"C2K"="C:\WINDOWS\Cyb2k.exe" []
"BearFlix"="C:\Program Files\BearFlix\BearFlix.exe" []
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 17:04]
"CAVRID"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2007-05-09 07:17]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 17:01]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"cctray"="C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe" [2007-08-28 10:44]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"Roai"="C:\WINDOWS\system32\SSTEM3~1\tracert.exe" []
"Idzfongz"="C:\WINDOWS\system32\?ppPatch\l?gonui.exe" []
"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" [2007-07-19 08:02]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-07-16 17:54]
"Steam"="c:\program files\steam\steam.exe" [2007-07-15 19:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\WINDOWS\system32\mstask.exe

C:\DOCUME~1\NEILST~1\STARTM~1\Programs\Startup\
Eyetide Launcher.lnk - C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe [2006-09-09 11:56:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"msmhost"= {84255EBD-3C8E-42A6-A42D-85973FB1FD6D} - C:\WINDOWS\msmhost.dll [2007-09-04 06:00 253952]
"msmdev"= {3109DB65-F5C5-4BE3-98FC-8DCB83640F97} - C:\WINDOWS\msmdev.dll [2007-09-04 06:00 266240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Neil Storkey^Start Menu^Programs^Startup^Eyetide Launcher.lnk]
path=C:\Documents and Settings\Neil Storkey\Start Menu\Programs\Startup\Eyetide Launcher.lnk
backup=C:\WINDOWS\pss\Eyetide Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C2K]
C:\WINDOWS\Cyb2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HbTools]
C:\Program Files\HbTools\Bin\4.8.2.0\HbtOEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMprocess]
C:\Program Files\Instant Messenger Names\IM-svr.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
"C:\Program Files\Microsoft Location Finder\LocationFinder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
C:\Program Files\HbTools\Bin\4.8.2.0\HbtWeatherOnTray.exe

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe"
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\wg11tnd5.sys
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\DNINDIS5.SYS
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\drivers\HCWBT8XX.sys
R3 VX3000;VX-3000;C:\WINDOWS\system32\DRIVERS\VX3000.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys


Contents of the 'Scheduled Tasks' folder
2007-09-05 21:38:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-07-23 17:28:49 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 16:08:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-09 16:14:01
C:\ComboFix-quarantined-files.txt ... 2007-09-09 16:13
C:\ComboFix2.txt ... 2007-09-09 10:07
C:\ComboFix3.txt ... 2007-09-09 09:53

--- E O F ---

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 10 September 2007 - 04:48 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\msmdev.dll
C:\WINDOWS\msmhost.dll
C:\WINDOWS\nsduo.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"msmhost"=-
"msmdev"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#14 Joshstork

Joshstork
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 10 September 2007 - 02:48 PM

This is the Combofix log ;
ComboFix 07-08-29.3 - "Neil Storkey" 2007-09-10 15:32:51.25 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.513 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Neil Storkey\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\msmdev.dll
C:\WINDOWS\msmhost.dll
C:\WINDOWS\nsduo.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\dat.txt
C:\WINDOWS\msmdev.dll
C:\WINDOWS\msmhost.dll
C:\WINDOWS\nsduo.dll
C:\WINDOWS\rs.txt


((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))


2007-09-08 16:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-05 18:16 <DIR> d-------- C:\Program Files\iTunes
2007-09-05 18:16 <DIR> d-------- C:\Program Files\iPod
2007-09-04 17:37 2,812 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-04 17:36 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-04 17:36 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-04 17:36 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-03 19:10 <DIR> d-------- C:\Program Files\Common Files\Thraex Software
2007-09-03 19:10 <DIR> d-------- C:\PacSteam
2007-09-03 15:27 <DIR> d-------- C:\Steam
2007-09-03 15:12 <DIR> d-------- C:\Program Files\uTorrent
2007-09-03 15:12 <DIR> d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\uTorrent
2007-08-29 13:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-28 20:06 <DIR> d-------- C:\Program Files\Race To Mars
2007-08-28 16:35 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-28 11:21 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-27 21:28 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-08-21 20:56 <DIR> d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Bioshock
2007-08-20 19:39 <DIR> d-------- C:\Program Files\Ubisoft
2007-08-20 15:33 <DIR> d-------- C:\Program Files\AusLogics Disk Defrag
2007-08-17 17:59 879,832 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-08-17 17:59 108,360 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-08-17 17:58 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
2007-08-17 17:58 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-08-17 17:58 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-08-17 17:58 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-08-17 17:58 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-08-16 17:59 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-08-16 17:56 <DIR> d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\WinRAR
2007-08-14 22:34 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-08-14 22:27 <DIR> d-------- C:\Program Files\pspvideo9
2007-08-12 13:48 <DIR> d-------- C:\Program Files\Sierra
2007-08-11 16:23 <DIR> d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\DivX
2007-08-10 10:27 <DIR> d-------- C:\Program Files\gPotato


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-10 15:40 --------- d-------- C:\Program Files\Steam
2007-09-02 17:23 --------- d-------- C:\Program Files\Trillian
2007-08-31 18:46 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-08-28 15:39 --------- d-------- C:\Program Files\Dark Reign 2
2007-08-28 14:43 --------- d-------- C:\Program Files\Electronic Arts
2007-08-28 14:33 --------- d-------- C:\DOCUME~1\PENGAH~1\APPLIC~1\ATI
2007-08-21 20:56 107888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-20 19:41 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-20 12:38 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-08-16 19:56 --------- d-------- C:\Program Files\LimeWire
2007-08-11 16:22 --------- d-------- C:\Program Files\DivX
2007-08-09 18:33 --------- d-------- C:\Program Files\Apple Software Update
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-25 23:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-25 22:53 9464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-25 22:53 9336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-25 22:53 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-25 22:53 43528 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-25 22:53 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-25 22:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-25 22:53 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-25 22:53 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-25 22:53 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-25 22:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-25 22:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-25 22:50 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-25 22:50 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-25 22:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-25 22:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-25 22:50 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-25 22:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-25 22:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-25 22:49 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-24 14:54 --------- d-------- C:\Program Files\Live_TV
2007-07-23 19:44 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Talkback
2007-07-23 19:36 4048 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-07-23 13:33 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\RegSweep
2007-07-21 17:32 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\ATI
2007-07-21 17:29 --------- d-------- C:\Program Files\ATI Technologies
2007-07-15 16:19 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ATI
2007-07-15 16:07 --------- d-------- C:\Program Files\SystemRequirementsLab
2007-07-15 09:42 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Apple Computer
2007-07-14 15:54 --------- d-------- C:\Program Files\QuickTime
2007-07-14 15:51 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-14 15:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-14 13:29 --------- d-------- C:\Program Files\Rockstar Games
2007-07-12 17:48 --------- d-------- C:\Program Files\StarSonata
2007-07-12 12:02 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\AdobeUM
2007-07-11 14:44 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-11 14:44 --------- d-------- C:\DOCUME~1\NEILST~1\APPLIC~1\Activision
2007-07-11 13:14 --------- d-------- C:\Program Files\Activision
2007-07-10 09:25 --------- d-------- C:\Program Files\Google
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-23 09:10 63040 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 15:25 339968 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 15:24 268288 --------- C:\WINDOWS\system32\ati2dvag.dll
2007-06-13 15:23 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-13 15:17 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-06-13 15:17 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 15:17 139264 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-06-13 15:17 118784 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-06-13 15:16 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-06-13 15:15 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-06-13 15:14 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 15:10 8097792 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-06-13 15:07 2922208 --------- C:\WINDOWS\system32\ati3duag.dll
2007-06-13 14:57 1512960 --------- C:\WINDOWS\system32\ativvaxx.dll
2007-06-13 14:46 5431296 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-06-13 14:43 262144 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-06-13 14:42 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-06-13 14:41 50176 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-06-13 14:36 368640 --------- C:\WINDOWS\system32\ati2cqag.dll
2007-06-13 14:29 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-09-11 16:57 774144 --a------ C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((( snapshot_2007-08-29_134147.60 )))))))))))))))))))))))))))))))))))))))))

----a-w 14,048 2007-03-06 01:22:36 C:\WINDOWS\$hf_mig$\KB933360\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\$hf_mig$\KB933360\spuninst.exe
----a-w 60,416 2007-07-18 10:33:06 C:\WINDOWS\$hf_mig$\KB933360\SP2QFE\tzchange.exe
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\$hf_mig$\KB933360\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\$hf_mig$\KB933360\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\$hf_mig$\KB933360\update\updspapi.dll
-c----w 60,416 2007-01-29 08:58:06 C:\WINDOWS\$NtUninstallKB933360$\tzchange.exe
-c----w 213,216 2007-03-06 01:22:41 C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe
-c----w 371,424 2007-03-06 01:23:51 C:\WINDOWS\$NtUninstallKB933360$\spuninst\updspapi.dll
----a-w 6,799,360 2007-09-05 19:58:39 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 204,800 2007-09-05 19:58:40 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-r 102,400 2007-09-05 22:16:42 C:\WINDOWS\Installer\{974C05A0-C76C-4724-A9A2-11D5D1355729}\iTunesIco.exe
------w 60,416 2007-07-18 12:42:22 C:\WINDOWS\system32\tzchange.exe
----a-w 182,248 2007-08-07 21:20:44 C:\WINDOWS\system32\Macromed\Director\SwDir.dll
----a-w 585,728 2007-08-07 17:35:56 C:\WINDOWS\system32\Macromed\Shockwave 10\Control.dll
----a-w 1,490,944 2007-08-07 17:19:40 C:\WINDOWS\system32\Macromed\Shockwave 10\dirapi.dll
----a-w 24,576 2007-08-07 17:36:32 C:\WINDOWS\system32\Macromed\Shockwave 10\DynaPlayer.dll
----a-w 1,113,600 2007-08-07 20:52:32 C:\WINDOWS\system32\Macromed\Shockwave 10\gi.dll
----a-w 52,288 2007-08-07 17:08:48 C:\WINDOWS\system32\Macromed\Shockwave 10\gtapi.dll
----a-w 606,208 2007-08-07 17:17:24 C:\WINDOWS\system32\Macromed\Shockwave 10\iml32.dll
----a-w 339,968 2007-08-07 17:35:22 C:\WINDOWS\system32\Macromed\Shockwave 10\Plugin.dll
----a-w 483,328 2007-08-07 17:35:32 C:\WINDOWS\system32\Macromed\Shockwave 10\PluginPing.dll
----a-w 180,224 2007-08-07 17:28:38 C:\WINDOWS\system32\Macromed\Shockwave 10\Proj.dll
----a-w 391,144 2007-08-07 21:20:28 C:\WINDOWS\system32\Macromed\Shockwave 10\SwHelper_1020023.exe
----a-w 77,824 2007-08-07 17:37:56 C:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
----a-w 86,016 2007-08-07 17:35:18 C:\WINDOWS\system32\Macromed\Shockwave 10\SwMenu.dll
----a-w 98,304 2007-08-07 17:37:58 C:\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll
----a-w 50,808 2007-08-07 17:08:46 C:\WINDOWS\system32\Macromed\Shockwave 10\SYMCCHECKER.DLL

----a-w 6,647,808 2007-08-29 16:53:33 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 204,800 2007-08-29 16:53:34 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
------w 60,416 2007-01-29 08:58:06 C:\WINDOWS\system32\tzchange.exe
----a-w 182,512 2007-05-02 16:32:04 C:\WINDOWS\system32\Macromed\Director\SwDir.dll
----a-w 585,728 2007-04-30 21:11:28 C:\WINDOWS\system32\Macromed\Shockwave 10\Control.dll
----a-w 1,490,944 2007-04-30 20:08:40 C:\WINDOWS\system32\Macromed\Shockwave 10\dirapi.dll
----a-w 24,576 2007-04-30 20:30:38 C:\WINDOWS\system32\Macromed\Shockwave 10\DynaPlayer.dll
----a-w 1,089,024 2007-04-30 20:47:02 C:\WINDOWS\system32\Macromed\Shockwave 10\gi.dll
----a-w 52,288 2007-04-30 19:47:42 C:\WINDOWS\system32\Macromed\Shockwave 10\gtapi.dll
----a-w 606,208 2007-04-30 20:05:32 C:\WINDOWS\system32\Macromed\Shockwave 10\iml32.dll
----a-w 339,968 2007-04-30 21:11:22 C:\WINDOWS\system32\Macromed\Shockwave 10\Plugin.dll
----a-w 483,328 2007-04-30 21:11:24 C:\WINDOWS\system32\Macromed\Shockwave 10\PluginPing.dll
----a-w 180,224 2007-04-30 21:11:30 C:\WINDOWS\system32\Macromed\Shockwave 10\Proj.dll
----a-w 77,824 2007-04-30 20:33:00 C:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
----a-w 86,016 2007-04-30 20:29:00 C:\WINDOWS\system32\Macromed\Shockwave 10\SwMenu.dll
----a-w 98,304 2007-04-30 20:33:00 C:\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 12:18]
"kgsystray"="C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe" []
"C2K"="C:\WINDOWS\Cyb2k.exe" []
"BearFlix"="C:\Program Files\BearFlix\BearFlix.exe" []
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 17:04]
"CAVRID"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2007-05-09 07:17]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 17:01]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"cctray"="C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe" [2007-08-28 10:44]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"Roai"="C:\WINDOWS\system32\SSTEM3~1\tracert.exe" []
"Idzfongz"="C:\WINDOWS\system32\?ppPatch\l?gonui.exe" []
"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" [2007-07-19 08:02]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-07-16 17:54]
"Steam"="c:\program files\steam\steam.exe" [2007-07-15 19:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\WINDOWS\system32\mstask.exe

C:\DOCUME~1\NEILST~1\STARTM~1\Programs\Startup\
Eyetide Launcher.lnk - C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe [2006-09-09 11:56:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Neil Storkey^Start Menu^Programs^Startup^Eyetide Launcher.lnk]
path=C:\Documents and Settings\Neil Storkey\Start Menu\Programs\Startup\Eyetide Launcher.lnk
backup=C:\WINDOWS\pss\Eyetide Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C2K]
C:\WINDOWS\Cyb2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HbTools]
C:\Program Files\HbTools\Bin\4.8.2.0\HbtOEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMprocess]
C:\Program Files\Instant Messenger Names\IM-svr.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
"C:\Program Files\Microsoft Location Finder\LocationFinder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
C:\Program Files\HbTools\Bin\4.8.2.0\HbtWeatherOnTray.exe

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe"
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\wg11tnd5.sys
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\DNINDIS5.SYS
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\drivers\HCWBT8XX.sys
R3 VX3000;VX-3000;C:\WINDOWS\system32\DRIVERS\VX3000.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys


Contents of the 'Scheduled Tasks' folder
2007-09-05 21:38:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-07-23 17:28:49 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 15:39:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-10 15:44:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-10 15:44
C:\ComboFix2.txt ... 2007-09-09 16:14
C:\ComboFix3.txt ... 2007-09-09 10:07

--- E O F ---

This is the Hijackthis log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:29 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EA Link\Core.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iTunes\iTunes.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wwe.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [kgsystray] C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Roai] "C:\WINDOWS\system32\SSTEM3~1\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [Idzfongz] "C:\WINDOWS\system32\?ppPatch\l?gonui.exe" 99001122
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Neil Storkey\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161381435595
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.otoy.com/download/CAB/OTOYAX.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C26027F5-C7EF-4CC1-9637-B514BCF8BF4E} (SAIOnlineAForm Control) - http://www.arcadetown.com/swf/scorchanisland/saionline.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 12280 bytes

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 11 September 2007 - 02:12 AM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKCU\..\Run: [Roai] "C:\WINDOWS\system32\SSTEM3~1\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [Idzfongz] "C:\WINDOWS\system32\?ppPatch\l?gonui.exe" 99001122
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Neil Storkey\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {C26027F5-C7EF-4CC1-9637-B514BCF8BF4E} (SAIOnlineAForm Control) - http://www.arcadetown.com/swf/scorchanisland/saionline.cab

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users